SharePoint 2007 contains a lot of options for security configuration. In larger site collections, it is very easy to loose the overview of how the security in your site collections is configured. Publishing parts of the content in your site collections for anonymous users, makes this even harder. And if you grant your power users the permissions to manage the security settings themselves, it suddenly is impossible to keep an overview. If you have done support for a SharePoint environment and have tried to solve security issues, you probably are familiar with this problem. Security blueprints can help you in this scenario. These blueprints are a report of all security related settings in your sites. In the first version of the product, these reports are published as XML files. By creating your own XSLT stylesheets, you can use this product to create your own reports on the security setup of your SharePoint sites.
A number of sample support questions that can be addressed easier using Security Blueprints:
- I am getting all these request e-mails asking me to grant users permissions. How do I find all places where my e-mail address is configured to be the contact for access requests?
- The Table of Contents web part does not take permissions into account. We have a number of sub sites with unique permissions, but my users see all subsites. In my other site collection, this works as expected. Using a security blueprint, you can easily check the permissions on these sites and find out users see the subsites in the navigation, because anonymous access is turned on for these sites.
- I have granted my project managers our custom permission level that allows them to add people to specific SharePoint groups, but it does not work. They cannot add users. In another site collection, this works as described. By comparing security blue prints from the 2 site collections, you can quickly find out the custom permission level misses one of the critical permissions.
The most important settings that are (currently) included in the report:
- SharePoint sitegroups and their permissions
- Permission levels
- Lists / Document libraries and their security settings
- Anonymous settings
- Request Access settings
- Activated Site Features
- Activated Site Collection Features
- Site Collection Administrators
Security blueprints are generated manually by a site administrator, or on a scheduled basis by the Security Blueprints timerjob. See the installation article on this weblog for the installation and setup instructions. The reports are published as XML files in an automatically created document library. This library can be added to every site collection, or to a central storage location. Every time a blueprint is generated (manually or scheduled), the library is checked if a report was previously published for the site collection. If this is not the case, the report is published as a Full Report. If a report was previously published, this report is compared to the new report. If there are changes, a new Full Report is published. If there are no changes, a No Changes report is published.
You can exclude specific parts of your site collections by configuring Endpoints. See the installation article for details.
The screenshot below shows the blueprints library after the first 3 runs of the process in an empty site collection based on the Collaboration Portal template. After the first run, I have created custom permissions for the Reports site and the document library in the document center. This results in a new full report in the second run. In the 3rd run, there were no changes, as can be seen in the screenshot. To get an idea of what a security blueprint report looks like, the last Full Report of this site collection is available on this link.
Another scenario where security blueprints can help is when you have multiple site collections that upon launch have the same structure and security setup. Before the lauunch of your new site collections, you create a blueprint of the new site collection. Now your site collection administrators can go wild and do their thing. By automatically publishing a new security report if something changes in the security setup, it is much easier for you to track when security settings are changed. This can make troubleshooting these nasty secuity issues a lot easier. It allows you to identify the differences between the original security setup (the blueprint) and the current setup in your site collections.
You can download Security Blueprints on the SharePoint Objects site on CodePlex.